No federal privacy law? After the 23andMe hack, it’s time to take action

On Oct. 6, 23andMe announced the loss of customer data to hackers who targeted Ashkenazi Jews. The data of as many as a million people was reportedly stolen and is currently being sold anonymously on the Internet. The hack exploited customers who reused passwords and the platform’s feature called “DNA Relatives,” linking one person to another.

We won’t easily forget this awful hack — but every year, tens of millions of Americans become victims of information leaks, so many that they have begun to blur together. Microsoft, for one, has been hacked at least 10 times since 2018.

Victims range from ordinary people, like those in the 23andMe hack, to the most politically sensitive: the State Department’s China diplomats; the Secretary of Commerce. Hackers access people’s email and steal their social security numbers or their home addresses, and in one case, in-depth psychological profiles needed for top security clearances.

If we use the frog-in-hot-water analogy for Americans and their information privacy, this frog is dead.

Weak laws let companies get away with weak security.

Current US privacy laws are so ineffective that Europeans are afraid to send their data here lest it be hacked, leaked, or surveilled. This fear was the basis of the tensely negotiated “Data Privacy Framework” between the EU and the US over whether and how to allow the personal data of European citizens to be sent to this country.

Without the risk of a giant fine or, say, jail time, many tech giants can and do get away with managing their data security badly. They fail to update security keys, encrypt users’ credit card numbers or enforce multi-factor authentication.

Weak laws let companies get away with weak security. For instance, 23andMe didn’t require users to use two-factor authentication or warn users about the dangers of enabling “DNA Relatives.” If they have to pay a small fine — small to them — that’s the cost of doing business.

In 2019, the year that the Cambridge Analytica scandal caught up with Facebook, the company paid $5 billion to the FTC for illegally sharing the data of 87 million people.

How much would Cambridge Analytica have cost Facebook if it had to face California’s new privacy laws?

Although it was the worst privacy violation in Facebook’s storied history of privacy violations, the company still got to keep 80% of its massive profits that year. Financially, the scandal was just a speed bump for Facebook.

How does this happen? Unlike Europe, the US lacks a strong, comprehensive national privacy law. Many Big Tech companies, including Facebook, say they support one, but through relentless lobbying they seem to benefit by dragging out the process of actually passing it. Not just big companies but also government agencies are building huge databases of citizens’ data.

According to a recent WIRED article: “A government report declassified by the Office of the Director of National Intelligence in June, 2023 revealed that US intelligence agencies were avoiding judicial review by buying a ‘large amount’ of ‘sensitive and intimate information’ about Americans, including data that can be used to track people’s locations over extended periods of time.”

Nothing to worry about there, right?

Dozens of privacy bills have been introduced into Congress, but partisan gridlock, an army of tech company lobbyists, the complexity of the issue and lack of public awareness have combined to prevent a major privacy bill from making it into law.

Last year, Amazon, Apple, Google, Meta and Microsoft combined spent over $60 million to lobby the federal government. Meanwhile, the Davids to these Goliaths — small nonprofits that focus on online privacy — are legally forced to limit lobbying to a tiny fraction of their work.

The FTC, which is charged with regulating companies against unfair or deceptive business practices, currently has its hands full prosecuting major anti-trust cases. It is underfunded and understaffed, and it’s mandated to cover every big company from Walmart to Tiktok. The US might benefit from a separate federal agency that specializes in dealing with privacy concerns. So far, none exists.

So what is the answer?

Countries that have managed internet privacy better than we do point the way. Russia and China run major state hacking operations. Countries that live in their shadow, like Estonia and Taiwan, have built independent, grassroots citizen tech groups that successfully fend off widespread hacking and disinformation that might undermine their democracies. People in these countries recognize the stakes: It’s considered patriotic to protect online privacy.

In the US, we also need nonpartisan groups that can learn to protect online privacy and push back against the lack of federal and state protection. Think: Future Farmers of America, except all ages, learning and teaching online privacy in their communities. (Conflict disclosure: I’m an enthusiastic former member of FFA.)

Other successful community models are community-oriented “CryptoParties” like CryptoHarlem, and arguably the most inclusive, powerful citizen data protection movement ever, Taiwan’s g0v.

The 0 stands for humility. This friendly, creative, and innovative grassroots hacker movement responds to the needs of Taiwan’s regular people and creates the right tools at the right time to fend off disinformation and hacking from its nearby neighbor. (Also, their meetings involve delicious meals, always a winner in community organizing. Taiwanese food is legendary. But I digress.)

Next, we must awkwardly embrace the dreaded patchwork of state laws.

In response to a public outcry for better data protection, California passed The California Consumer Privacy Act in 2018 (CCPA). Californians now have the right to know what personal information is collected, used, shared, or sold about them, the right to delete it, and the right to opt out of the sale or sharing of their personal information.

The California Privacy Rights Act of 2020 created a new California Privacy Protection Agency that manages the enforcement of California’s privacy laws and advises both the public and the legislature on privacy issues (because this stuff gets complicated).

The law also prohibits the collection and sale of biometric data including fingerprints, face scans, and voice recognition data without explicit user consent. A small percentage of corporate fine money can be used to fund nonprofit organizations engaged in online privacy projects (see what they did there?).

Nice, right? These California laws make great model legislation that could theoretically be passed, separately, in every state in the union.

If companies break these California laws, they incur giant fines. At $2,500 per affected user, the Cambridge Analytica scandal would have cost Facebook $217 billion, not $5 billion. That’s a meaningful fine — 40 times the money — that might change their behavior. No wonder they’re lobbying hard against privacy legislation.

Other states have also passed more piecemeal privacy legislation that is still valuable. Illinois has a new Protecting Household Privacy Act (the “Video Doorbell Act”). It mandates that law enforcement agencies are prohibited from obtaining household electronic data or directing private third parties to acquire household electronic data without a warrant. The law, which took effect in January 2022, covers security cameras, virtual assistants, video doorbells and smart appliances that connect to the internet.

Who opposes some of these laws? Check out TechNet — the long, lobbying arm of companies like Amazon and Facebook. See TechNet’s members: Apple, Facebook, etc. — and there’s a handy map on their website below the animated American flag that shows who is lobbying in your neck of the woods.

What’s the downside of a multitude of state laws? Big companies (and most comprehensive laws only apply to big companies) have to comply with laws that may conflict with each other. For them, this is expensive, inefficient and time consuming.

However, by aggressively pursuing the near-term passage of state laws, ordinary people will be much better protected from the ongoing abuse of their personal information for profit and power. And the federal lobbying by TechNet and others is forcing states to try to fend for themselves on behalf of their citizens.

People > companies

A coordinated national effort to pass strong state privacy laws is a useful step for protecting vulnerable American citizens (and most of us are pretty vulnerable at the moment) until Congress enacts a federal privacy law, which could take years.

Will every state adopt California’s laws? That’s unlikely. Will some states enact wacky or dumb privacy laws? We’re living through a wacky, dumb era, so yes, but there’s nothing to prevent a state from passing another, stronger law, especially with the models that are available to them. And right now, people in most US states effectively have have few meaningful protections. A good law in Nebraska at least protects the people of Nebraska.

Software developers are also building tools to help. The new, free app Permission Slip, made by Consumer Reports, monitors state laws and allows users to get the most out of privacy protections we do have, like automating the removal of personal data from individual companies. Tools like this one can help while the federal government gets its act together. Perhaps in the future, Permission Slip will include a feature that automatically lets us contact legislators to push for stronger privacy laws.

Are these ideas as good as comprehensive privacy legislation? Nope. But are we getting that any time soon? Nope.

Haz I been haxxed?

Worried about the big companies and how complicated and inefficient this is for them? All the lawyers they’ll need and all the laws they’ll have to follow?

While I play the world’s tiniest violin, please visit HaveIBeenPwned. This will jog your memory about just a few of the companies that accidentally leaked your data, and may clarify your thinking about their lax security (it doesn’t list them all: Looking at you, Equifax). When those big companies have to face 52 different privacy laws, it may clarify their thinking, too. And if they ever do get behind powerful federal privacy legislation, that will be a breakthrough for Americans’ most basic rights and US democracy. So I’ll be cheering them on.